def command_encrypt_ami(values):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
pv = _use_pv_metavisor(values, guest_image)
encryptor_ami = (values.encryptor_ami
or _get_encryptor_ami(values.region, pv=pv))
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def command_encrypt_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc,
encrypted_image_name,
values.encryptor_image,
values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting encryptor session %s', gce_svc.get_session_id())
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
encrypted_image_id = encrypt_gce_image.encrypt(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(
values, brkt_env,mode=INSTANCE_CREATOR_MODE),
image_project=values.image_project,
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port
)
# Print the image name to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def command_update_encrypted_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc,
encrypted_image_name,
values.encryptor_image,
values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting updater session %s', gce_svc.get_session_id())
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
updated_image_id = update_gce_image.update_gce_image(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(
values, brkt_env,mode=INSTANCE_UPDATER_MODE),
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port
)
print(updated_image_id)
return 0
def command_encrypt_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(
values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc, encrypted_image_name,
values.encryptor_image, values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting encryptor session %s', gce_svc.get_session_id())
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
encrypted_image_id = encrypt_gce_image.encrypt(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(values,
brkt_env,
mode=INSTANCE_CREATOR_MODE),
image_project=values.image_project,
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port)
# Print the image name to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def command_update_encrypted_gce_image(values, log):
session_id = util.make_nonce()
gce_svc = gce_service.GCEService(values.project, session_id, log)
check_args(values, gce_svc)
encrypted_image_name = gce_service.get_image_name(
values.encrypted_image_name, values.image)
gce_service.validate_image_name(encrypted_image_name)
gce_service.validate_images(gce_svc, encrypted_image_name,
values.encryptor_image, values.image,
values.image_project)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
log.info('Starting updater session %s', gce_svc.get_session_id())
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
updated_image_id = update_gce_image.update_gce_image(
gce_svc=gce_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=values.image,
encryptor_image=values.encryptor_image,
encrypted_image_name=encrypted_image_name,
zone=values.zone,
instance_config=make_instance_config(values,
brkt_env,
mode=INSTANCE_UPDATER_MODE),
keep_encryptor=values.keep_encryptor,
image_file=values.image_file,
image_bucket=values.bucket,
network=values.network,
status_port=values.status_port)
print(updated_image_id)
return 0
def test_default_brkt_env(self):
""" Test that Yeti endpoints aren't set when they're not specified
on the command line.
"""
prod_env = brkt_cli.get_prod_brkt_env()
# In creator and updater mode, we default to prod.
for mode in (INSTANCE_CREATOR_MODE, INSTANCE_UPDATER_MODE):
brkt_config = _get_brkt_config_for_cli_args(mode=mode)
self.assertEqual(
'%s:%d' % (prod_env.api_host, prod_env.api_port),
brkt_config.get('api_host')
)
self.assertEqual(
'%s:%d' % (prod_env.hsmproxy_host, prod_env.hsmproxy_port),
brkt_config.get('hsmproxy_host')
)
# In metavisor mode, we don't default the environment.
brkt_config = _get_brkt_config_for_cli_args(
mode=INSTANCE_METAVISOR_MODE)
self.assertIsNone(brkt_config.get('api_host'))
self.assertIsNone(brkt_config.get('hsmproxy_host'))
self.assertIsNone(brkt_config.get('network_host'))
def command_update_encrypted_ami(values):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (brkt_cli.brkt_env_from_values(values)
or brkt_cli.get_prod_brkt_env())
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
pv = _use_pv_metavisor(values, encrypted_image)
encryptor_ami = (values.encryptor_ami
or _get_encryptor_ami(values.region, pv=pv))
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type != mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.', encrypted_image.id, encrypted_image.virtualization_type,
mv_image.id, mv_image.virtualization_type)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError('You already own image named %s' %
encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(encrypted_image.name,
nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info('Updating %s with new metavisor %s', encrypted_image.id,
encryptor_ami)
updated_ami_id = update_ami(
aws_svc,
encrypted_image.id,
encryptor_ami,
encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def command_update_encrypted_ami(values):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
pv = _use_pv_metavisor(values, encrypted_image)
encryptor_ami = (
values.encryptor_ami or
_get_encryptor_ami(values.region, pv=pv)
)
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type !=
mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.',
encrypted_image.id,
encrypted_image.virtualization_type,
mv_image.id,
mv_image.virtualization_type
)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError(
'You already own image named %s' % encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(
encrypted_image.name, nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info(
'Updating %s with new metavisor %s',
encrypted_image.id, encryptor_ami
)
updated_ami_id = update_ami(
aws_svc, encrypted_image.id, encryptor_ami, encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def command_encrypt_ami(values):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
pv = _use_pv_metavisor(values, guest_image)
encryptor_ami = (
values.encryptor_ami or
_get_encryptor_ami(values.region, pv=pv)
)
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=make_instance_config(values, brkt_env),
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs
)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def run_update(values, config, verbose=False):
nonce = util.make_nonce()
aws_svc = aws_service.AWSService(
nonce,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
encrypted_image = _validate_ami(aws_svc, values.ami)
encryptor_ami = values.encryptor_ami or _get_encryptor_ami(values.region)
default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
_validate(aws_svc, values, encryptor_ami)
_validate_guest_encrypted_ami(
aws_svc, encrypted_image.id, encryptor_ami)
else:
log.info('Skipping AMI validation.')
mv_image = aws_svc.get_image(encryptor_ami)
if (encrypted_image.virtualization_type != mv_image.virtualization_type):
log.error(
'Virtualization type mismatch. %s is %s, but encryptor %s is '
'%s.',
encrypted_image.id,
encrypted_image.virtualization_type,
mv_image.id,
mv_image.virtualization_type
)
return 1
encrypted_ami_name = values.encrypted_ami_name
if encrypted_ami_name:
# Check for name collision.
filters = {'name': encrypted_ami_name}
if aws_svc.get_images(filters=filters, owners=['self']):
raise ValidationError(
'You already own image named %s' % encrypted_ami_name)
else:
encrypted_ami_name = _get_updated_image_name(
encrypted_image.name, nonce)
log.debug('Image name: %s', encrypted_ami_name)
aws_service.validate_image_name(encrypted_ami_name)
# Initial validation done
log.info(
'Updating %s with new metavisor %s',
encrypted_image.id, encryptor_ami
)
instance_config = instance_config_from_values(
values, mode=INSTANCE_UPDATER_MODE, cli_config=config)
if verbose:
with tempfile.NamedTemporaryFile(
prefix='user-data-',
delete=False
) as f:
log.debug('Writing instance user data to %s', f.name)
f.write(instance_config.make_userdata())
updated_ami_id = update_ami(
aws_svc, encrypted_image.id, encryptor_ami, encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
updater_instance_type=values.updater_instance_type,
instance_config=instance_config,
status_port=values.status_port,
)
print(updated_ami_id)
return 0
def run_encrypt(values, config, verbose=False):
session_id = util.make_nonce()
aws_svc = aws_service.AWSService(
session_id,
retry_timeout=values.retry_timeout,
retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
)
log.debug(
'Retry timeout=%.02f, initial sleep seconds=%.02f',
aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)
brkt_env = (
brkt_cli.brkt_env_from_values(values) or
brkt_cli.get_prod_brkt_env()
)
if values.validate:
# Validate the region before connecting.
_validate_region(aws_svc, values.region)
if values.token:
brkt_cli.check_jwt_auth(brkt_env, values.token)
aws_svc.connect(values.region, key_name=values.key_name)
if values.validate:
guest_image = _validate_guest_ami(aws_svc, values.ami)
else:
guest_image = aws_svc.get_image(values.ami)
encryptor_ami = values.encryptor_ami or _get_encryptor_ami(values.region)
default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
default_tags.update(brkt_cli.parse_tags(values.tags))
aws_svc.default_tags = default_tags
if values.validate:
_validate(aws_svc, values, encryptor_ami)
brkt_cli.validate_ntp_servers(values.ntp_servers)
instance_config = instance_config_from_values(
values, mode=INSTANCE_CREATOR_MODE, cli_config=config)
if verbose:
with tempfile.NamedTemporaryFile(
prefix='user-data-',
delete=False
) as f:
log.debug('Writing instance user data to %s', f.name)
f.write(instance_config.make_userdata())
encrypted_image_id = encrypt_ami.encrypt(
aws_svc=aws_svc,
enc_svc_cls=encryptor_service.EncryptorService,
image_id=guest_image.id,
encryptor_ami=encryptor_ami,
encrypted_ami_name=values.encrypted_ami_name,
subnet_id=values.subnet_id,
security_group_ids=values.security_group_ids,
guest_instance_type=values.guest_instance_type,
instance_config=instance_config,
status_port=values.status_port,
save_encryptor_logs=values.save_encryptor_logs,
terminate_encryptor_on_failure=(
values.terminate_encryptor_on_failure)
)
# Print the AMI ID to stdout, in case the caller wants to process
# the output. Log messages go to stderr.
print(encrypted_image_id)
return 0
def _add_prod_env(self):
prod_env = brkt_cli.get_prod_brkt_env()
prod_dict = _bracket_environment_to_dict(prod_env)
self._config['environments'][BRKT_HOSTED_ENV_NAME] = prod_dict
if self._config.get('current-environment') is None:
self._config['current-environment'] = BRKT_HOSTED_ENV_NAME
def instance_config_from_values(values=None, mode=INSTANCE_CREATOR_MODE,
cli_config=None):
""" Return an InstanceConfig object, based on options specified on
the command line and Metavisor mode.
:param values an argparse.Namespace object
:param mode the mode in which Metavisor is running
:param cli_config an brkt_cli.config.CLIConfig instance
"""
brkt_config = {}
if not values:
return InstanceConfig(brkt_config, mode)
# Handle BracketEnvironment, depending on the mode.
brkt_env = None
if mode in (INSTANCE_CREATOR_MODE, INSTANCE_UPDATER_MODE):
# Yeti environment should only be set in CREATOR or UPDATER mode.
# When launching, we want to preserve the original environment that
# was specified during encryption.
#
# If the Yeti environment was not specified, use the production
# environment.
brkt_env = brkt_cli.brkt_env_from_values(values)
if cli_config is not None and brkt_env is None:
name, brkt_env = cli_config.get_current_env()
log.info('Using %s environment', name)
log.debug(brkt_env)
config_brkt_env = brkt_env or brkt_cli.get_prod_brkt_env()
add_brkt_env_to_brkt_config(config_brkt_env, brkt_config)
# We only monitor status when encrypting or updating.
brkt_config['status_port'] = (
values.status_port or
encryptor_service.ENCRYPTOR_STATUS_PORT
)
if values.token:
brkt_config['identity_token'] = values.token
if values.ntp_servers:
brkt_config['ntp_servers'] = values.ntp_servers
log.debug('Parsed brkt_config %s', brkt_config)
ic = InstanceConfig(brkt_config, mode)
# Now handle the args that cause files to be added to brkt-files
proxy_config = get_proxy_config(values)
if proxy_config:
ic.add_brkt_file('proxy.yaml', proxy_config)
if 'ca_cert' in values and values.ca_cert:
if not brkt_env:
raise ValidationError(
'Must specify --service-domain or --brkt-env when specifying '
'--ca-cert.'
)
try:
with open(values.ca_cert, 'r') as f:
ca_cert_data = f.read()
except IOError as e:
raise ValidationError(e)
try:
x509.load_pem_x509_certificate(ca_cert_data, default_backend())
except Exception as e:
raise ValidationError('Error validating CA cert: %s' % e)
domain = get_domain_from_brkt_env(brkt_env)
ca_cert_filename = 'ca_cert.pem.' + domain
ic.add_brkt_file(ca_cert_filename, ca_cert_data)
if 'guest_fqdn' in values and values.guest_fqdn:
ic.add_brkt_file('vpn.yaml', 'fqdn: ' + values.guest_fqdn)
return ic
